# cryptogoth/school

Added prelim files for final project LaTeX.

• Loading branch information...
1 parent ac72c03 commit f0489bee9cc0208faf9e4910d730613de51c6ed5 Paul Pham committed Mar 18, 2011
 @@ -0,0 +1,13 @@ +\section{Abstract} + +In this project, I critique the public-key quantum money scheme of +\cite{Farhi2010} based on the hardness of finding equivalent +mathematical knots and creating a weighted superposition of +corresponding grid diagrams that correspond to the same Alexander +polynomial. +I sketch a loose upper bound for the damage to a valid +money state from the verification procedure and characterize the +desired behavior of Markov chain mixing in order to distinguish +valid and invalid money states with a polynomial number of trials. +In conclusion, I propose extensions to this work to create +a more concrete scheme and to defend against future attacks.
 @@ -0,0 +1,49 @@ +\section{Possible Attacks} + +Since this scheme of quantum money from knots is based on conjectures, this +points the way to several future attacks. + +\begin{enumerate} +\item Reverse engineering from the Alexander polynomial $p$. If the attacker +could easily find all equivalent grid diagrams to a single "canonical" grid +diagram corresponding to the serial number, he could create the correctly +weighted superposition to duplicate $\ket{\$_p}$. Call +$\mathcal{G}_{2\overline{D}}$the set of all grid diagrams of up to size +$2\overline{D}$. +The attacker could enumerate over +exponentially many grid moves within$\mathcal{G}_2\overline{D}$, +or he could enumerate over all grids in$\mathcal{G}_2\overline{D}$assuming +he has an oracle for determining if two grid diagrams are equivalent. +Both would take exponential time. +Alternatively, suppose that a polynomial time algorithm exists to extract from +each grid diagram +(encoded in$O(\overline{D}^2)$+bits) either the moves to get to all but exponentially many equivalent +diagrams or (even more unlikely) the equivalent diagrams themselves. +We would have to be able to upper bound the number of equivalent grid diagrams to +also be$O(\overline{D}^2)$, which we currently don't know how to do. +\item +It turns out that a certain class of states can be efficiently copied, which +includes the eigenstates of some classical reversible circuit. +A special case of this +are the states$\ket{\psi_{n,k}}$used to enact arbitrary controlled phase +rotations in the quantum compiling algorithm of Kitaev, Shen, and Vyalyi +\cite{KSV02}, where the state to copy (say$\ket{\psi_{n,1}}$which is hard +to produce) is of the +same form as the "empty" register to hold the new copy ($\ket{\psi_{n,0}}$, which +is easy to produce). As in +\begin{displaymath} +\ket{\psi_{n,1}}\otimes\ket{\psi_{n,0}} \rightarrow +\ket{\psi_{n,1}}\otimes\ket{\psi_{n,1}} +\end{displaymath} +If it turns out that weighted superpositions of equivalent +grid diagrams are within that class of states, then the valid money state +$\ket{\$_p}$ could be copied into an entangled pair +$\ket{\$_p} \otimes \ket{\$_p}$ +can somehow be used toese are somehow encoded in the grid diagram itself, +waiting to be extracted. +he might be able to somehow extractEven if he is given an +oracle to +come up with a "canonical" grid diagram corresponding to the serial number and + +\end{enumerate}
 @@ -0,0 +1,52 @@ +\section{Damage from Measuring Valid Money States} + +In Step 3, we are cutting off the tails of the Gaussian distribution +to eliminate a certain class of equivalent knot diagrams with size close +to $2\overline{D}$ or $2$ which are easy to create due to the edge cases +in our Markov chain moves. Otherwise, these easily forgeable states would +pass Step 4. How do we know this projection won't significantly damage a valid +money state? + +First let's define the set of all equivalent +grid diagrams $G$ with Alexander polynomial $p$ and with dimension outside +the cutoff regions: + +\begin{displaymath} +\mathcal{G} = \{ +G:A(G)=p \land d(G) \in +[2, \frac{\overline{D}}{2}) +\cap (\frac{3\overline{D}}{2},2\overline{D}] +\} +\end{displaymath} + +Then lets take the norm of the difference between the original valid money state +$\ket{\psi}$ and the same state after its tails have been cut off, +$\ket{\tilde{\psi}}$, which ends up just being the sum of the coefficients +squared +of grid diagrams in $\mathcal{G}$. + +\begin{displaymath} +|| \ket{\psi} - \ket{\tilde{\psi}} || \le +\sum_{G \in \mathcal{G}} (\sqrt{q(d(G))})^2 +\end{displaymath} + +Recall that $q(d)$ is designed to be a Gaussian distribution with +standard deivation $\sqrt{\overline{D}}/2$, which we can recenter to zero mean. +Then we +can calculate the area under the distribution from +$\frac{\overline{D}}{2}$ to $\frac{3\overline{D}}{2}$ using the error function: +\cite{WikipediaNormal} + +\begin{multline*} +F(\mu + n\sigma; \mu, \sigma^2) - F(\mu - n\sigma; \mu, \sigma^2) = +\Phi(n) - \Phi(-n) \\ = \textrm{erf}(\frac{n}{\sqrt{2}}) = +\textrm{erf}(\frac{\sqrt{\overline{D}}}{2\sqrt{2}}) +\end{multline*} + +Here, $n = \sqrt{\overline{D}}/2$, and we can approximate the +error function by: + +\begin{displaymath} +erf(\frac{\overline{D}}{2\sqrt{2}}) = +\sqrt{1 - \exp(-\Omega(\overline{D}^2))} = 1 - \exp(\Omega(\overline{D}^2)) +\end{displaymath}
 @@ -0,0 +1,58 @@ +\section{Future Extensions} + +To extend this scheme or prove it secure, we would need a better +understanding of knots and quantum algorithms for them. The +two obvious future extensions are to come up with a quantum algorithm +for knot equivalence to attach the security of this scheme directly or +to prove an eigenvalue gap for the Markov chain in the verification +scheme. Aside from those, here are a +few other interesting directions: + +\begin{enumerate} +\item Current schemes do not address the demand for currency. +For a given security parameter $\overline{D}$, +are there sufficiently many Alexander polynomials (serial numbers) +available to supply the world with enough quantum bills? +To do this, we would need to lower-bound the number of +different knots that can be embedded in grid diagrams of up to size +$2\overline{D}$, not including the unknot which has empirically been shown +to +occupy the vast majority of grid diagrams. +\item +Quantum bills and coins currently have no denomination associated with +them and so are of unit value. +Is it possible to associate a denomination with quantum money, or to have +it be dividable or combinable? +\item +It turns out that a certain class of states can be efficiently copied, which +includes the eigenstates of the addition operator, $\ket{\psi_{n,k}}$, +used to enact arbitrary controlled phase +rotations in the quantum compiling algorithm of Kitaev, Shen, and Vyalyi +\cite{KSV02}. The state to copy (say $\ket{\psi_{n,1}}$, which is hard +to produce), but is of the +same form as the "empty" register to hold the new copy +($\ket{\psi_{n,0}}$, which +is easy to produce). As in +\begin{displaymath} +\ket{\psi_{n,1}}\otimes\ket{\psi_{n,0}} \rightarrow +\ket{\psi_{n,1}}\otimes\ket{\psi_{n,1}} +\end{displaymath} +If it turns out that weighted superpositions of equivalent +grid diagrams are within that class of states, then the valid money state +$\ket{\$_p}$could be copied into an entangled pair +$\ket{\$_p} \otimes \ket{\$_p}$, either have of which would pass +verification. +\end{enumerate} + +Interesting results which have emerged since the main paper \cite{Farhi2010} +include a new online attack for Wiesner's original scheme +\cite{Lutomirski2010} which involves the bank returning bogus bills. +Incidentally, the related work \cite{Lutomirski 2010} addresses this same +concern of a mint artificially inflating currency by releasing additional bills, +and then sketches a solution using a \emph{collision-free} quantum money +protocol. + +However, if one is not satisfied with the hardness of finding a connecting +sequence of Reidemeister moves between any two grid diagrams, we can increase +the hardness even further by embedding knots into three dimensions, using +so-called \emph{cube diagrams}\cite{Baldridge2009}.  @@ -0,0 +1,41 @@ +\section{Introduction} + +General quantum states cannot be cloned, but this apparent +algorithmic disadvantage can be turned into a cryptographic advantage. +Money is a common implementation of a +real-life, physical one-way function: +we want valid bills and coins to be easily creatable (via a +\emph{minting algorithm} possibly with some classical secret) by a central +bank but easily checkable (by a public \emph{verification algorithm}) +by anyone with access to a quantum computer. + +This project provides a critical summary of a recent proposed + quantum money scheme based on the properties +mathematical knots \cite{Farhi2010}. +The interested reader is referred to that paper for +a good summary of prior work. +While a promising approach, this scheme's Markov-chain-based +verification algorithm is incomplete +and may not be able to distinguish valid and invalid quantum money states. + +First, we briefly review knots and how they are used +in the minting algorithm to create valid money states. +Second, we move on to the main part of this paper, the dissection of the +verification algorithm, including a calculation bounding how much +damage is done to a valid money state and a discussion about our +desired mixing properties for the Markov chain part. +Then we expand upon existing attacks for this scheme. +Finally, we conclude with future extensions to this exciting work to +make the scheme more concrete. + +%\section{Related Work} + +%The unforgeability of quantum money was studied as early as Wiesner +%\cite{}. Although his scheme provides information-theoretic security +%in the sense of relying directly on the laws of physics, it has the +%severe disadvantage of involving the mint in every transaction. +%Ideally, we would like our quantum money to be publicly verifiable, that is, +%without resorting to the trusted authority for every interaction. +%Aaronson proved that public-key quantum money was possible relative to an oracle + +  @@ -0,0 +1,19 @@ +\section{Knots and Grid Diagrams} + +Knots are three-dimensional mathematical objects analogous to a (directed) string +that can be arbitrarily tangled with itself. Knots can be projected into +two-dimensions where every string crossing is drawn as solid (the overcrossing +segment) or broken (the undercrossing segment). However, string is a loose +and messy analogy to deal with. To discretize knots into a useful computational +tool, we can embed them into two-dimensional$d \times d$grid diagrams, +containing$d$each of$X$and$O$markers, with exactly one of each in every +column and row. + +A link is a collection of +one or more directed knots, possibly separable. +If a link is separable, or if a link is the unknot the Alexander polynomial of +its corresponding grid diagrams is 0. + +Just as knots are invariant under Reidemeister moves, +the Alexander polynomial is an invariant of knots embedded in grid diagrams +under equivalent moves.  @@ -0,0 +1,56 @@ +\section{Markov Chain Mixing to Distinguish Money States} + +In Step 4 of the verification scheme, we apply a Markov chain +$\hat{B}$and then +project onto its +1 eigenstates. This depends on valid money states +$\ket{\$_p}$ +being very close to +1 eigenstates of $\hat{B}$, much closer than +the eigenstates corresponding to invalid money. +Valid money states cannot be exactly +1 eigenstates, because those +include mixing from grid diagrams in $\mathcal{G}$ above, +with size in the tails that we cut off in Step 3. Therefore, our only +hope is that the eigenvalues for $\ket{\$_p}$being exponentially +close to one and the eigenvalues for all other states being at least +polynomially farther away. + +Unfortunately, we don't understanding enough about knots to make that +claim for this particular Markov chain. This is the biggest open +question and avenue for attack in our knot-based scheme. +In particular, we don't know +the eigenvalue gap, if any, between the lowest eigenvalue of +a$\ket{\$_p}$ (call it $(1-a), a \in [0,1)$) and the highest eigenvalue of any other +eigenstates (call it $(1-b), b \in [0,1)$). We are guaranteed to be exponentially close +to some eigenstate of $\hat{B}$ after calculating and measuring the +Alexander polynomial in Step 2 above. + +However, as dreamers, we can imagine what desirable properties we would +like to prove for $\hat{B}$. First, we would like $b > a$, so that +there is a gap. First, we would like to show that $a$ is +small, so a $\ket{\$_p}$doesn't degrade under +$r$repetitions of Markov chain verification and still projects +to a +1 eigenstate with high probability. + +\begin{displaymath} +a = \frac{1}{\exp(\Omega(\overline{D}))} +\end{displaymath} + +Second, we would like to show that$b$is polynomially away from 1, so +that under$r$repetitions of Markov chain verification, it +projects to a +1 eigenstate with low probability. + +\begin{displaymath} +b = \frac{1}{\Omega(\overline{D})} +\end{displaymath} + +We would like to show that difference in probabilities increases +exponentially close to 1 with$r$: + +\begin{multline*} +(1-a)^r - (1-b)^r \ge (1 - ra) - (1 - rb) \\ += r(b-a) = +\frac{1}{\exp(\Omega(\overline{D}))} - \frac{1}{\Omega(\overline{D})} +\end{multline*} + +Therefore, if$(b-a)$also increases exponentially closer to 1, we can +get away with$r = \textrm{poly}(\overline{D})$repetitions, so that our +Markov chain verification procedure is tractable.  @@ -0,0 +1,58 @@ +\section{Quantum Money} + +Consider notes which consist of a quantum state$\ket{\$_p}$ in +a fixed basis $\mathcal{B}$ +and a classical serial number $p$, +together with a global classical function $A$ which computes +$p$ from the basis states. $\ket{\$_p}$is a (possibly weighted) superposition +of basis states$\ket{G}$which are equivalent in the sense that they all map +to the same value. + +\begin{displaymath} +\ket{\$_p} = \frac{1}{\sqrt{N}} \sum_{G:A(G)=p} q_G \ket{G} +\end{displaymath} + +With respect to some security parameter $\overline{D}$, +we would like a different serial number $p$ to be produced each time +with probability exponentially close to 1 to prevent forgery through +repetition +of the minting algorithm. For each $p$, or even from each $\ket{G}$ where +$A(G)=p$, it should be difficult to find all equivalent basis states and +therefore +to forge their superposition. We will see later that it is useful to +shape the weights $q_G$ of the superposition, rather than have uniform +distribution. So how do we do this? Two words: knots, maybe. + +\section{Knots} + +Knots are like a loop of string which can be arbitrarily tangled +with +itself in three dimensions. We +can represent them in two-dimensions with $d \times d$ +\emph{grid diagrams}, where strands +pass vertically and horizontally between $d$ \textsf{X} and +$d$ \textsf{O} markers, +one of each kind of marker in each column and row. +Equivalently, we can encode a grid diagram purely through +a pair of disjoint permutations $\Pi_{\textsf{X}}$ +and $\Pi_{\textsf{O}}$ on the integers $\{1, \ldots, d\}$. + +An Alexander polynomial can be computed for each knot based on its +crossings and is invariant under the Reidemeister moves. Therefore, +all grid diagrams of the same knot have the same Alexander polynomial +and can be transformed into one another. +However, it is conjectured to be hard (even for a quantum computer, on +average) to be able to generate all such equivalent +grid diagrams, or even more simply to determine if two grid diagrams are +equivalent. However, we can easily create a quantum +superposition of all grid encodings, compute their Alexander polynomials +$p$ into a second register, then measure $p$ to be left with the +superposition of all corresponding equivalent grid diagrams. +This one-wayness, due to quantum measurement, combined with the classical +one-wayness of digitally signing $p$, result in the one-wayness of +the minting algorithm. + +Based on the leading notation above, you have probably guessed that the +basis $\mathcal{B}$ consists of all grid diagrams of size $d$ which ranges +from $2$ to $2\overline{D}$. The size of a grid diagram is +denoted as $d(G)$.

#### 0 comments on commit f0489be

Please sign in to comment.